Mastering risk oversight: ERM reporting strategies for executive decision-making
Without risk, there can be no reward. But how can today’s organizations manage risk effectively, and how does new technology change the risk landscape? Most importantly, what does all this mean for boards?
In a recent discussion at Diligent’s ERM Virtual Summit, I asked a panel of experts to provide their thoughts on mastering risk oversight. The panel included:
- Bob Brennan, Chairman of BitSight, Board Director of ThoughtWorks and Fairwinds
- David Platt, Chief Strategic Development Officer at Moody's
- Brian Stafford, President and CEO of Diligent
From identifying the most critical risks today to anticipating the risks of the future, here are some highlights from our enlightening conversation.
Risk: Different sides of the same coin
Risk continues to evolve and expand rapidly, which is why boards must have full visibility into their organization's risk posture — something that has traditionally proven somewhat difficult.
I kicked off the discussion by asking Brennan what types of risk data organizations need to report to their board, and how often they should share this data.
Brennan encouraged us to look at risk as a coin with two sides. “One side enables the organization to take risk, not simply mitigate it,” he said. “And too often, boards and management teams, especially when working together, focus on the mitigation of risks that pose potential danger to the company, and not enough on the risks that they should take.”
Motioning to Platt, Brennan went on to explain that Moody’s might face risk from AI, but they also have opportunity connected to the same technology. “They dove in, and now everybody in the organization embraces it,” he said.
“It's not AI that's going to take your job, it's the person that knows AI,” Brennan added. "[Platt] and the team decided to use that fact to take advantage of the opportunity, as opposed to looking at it only as a threat."
As for the mitigation side of the coin, organizations need to keep an eye out for emerging risks — including the risk of a data breach. “The hacker only has to be right once, but the enterprise has to be perfect,” Brennan stressed.
Platt shared some real-world examples of communicating the threat and relevance of particular risks to a board. “You tell the board what they need to know, not what you know,” he said.
Articulating risks effectively
Not every board member is a risk expert, so it’s important to have ERM reports tailored for all levels of understanding.
Stafford noted that the average publicly traded company reports about 30 risks on their 10-K. “The real issue is figuring out which of those risks matter the most,” he said. “In many cases, there are three to five risks that actually really matter, and they tend to differ by company.”
Regardless of what the risks are, you need to “communicate them the right way to the board to help them prioritize,” he added.
When it comes to effectively communicating risk information, Platt calls out the importance of using plain language. “We use plain English. Otherwise, the board can think, ‘I hear your words, but I'm not sure I get what's going on.’”
“The job of management is to tell the board what you believe matters most and what you're doing about it,” Platt continued. “A nice expression that I learned long ago, was ‘You tell the board what they need to know, not what you know.’”
Visualizations, such as heat maps, also help get key facts across. “I think it's simple but powerful to be able to look at just a visualization of your risks,” Stafford said. "As a CEO or leader, I want to see across our organization if we have a comprehensive view of what the risks are. And I do want to see that prioritization.”
That prioritization will be specific to your industry and your organization. “The way you prioritize is going to be specific to your business, your strategy and how you look at it,” Stafford continued. “The heat map gives me, as a CEO, and any board member, a view of whether the management team is being thoughtful and looking at a broad set of risks.”
An evolving risk landscape
If we know anything, we know that the risk landscape will continue to change. As we neared the end of our discussion, I asked the panelists what they expect to see five or ten years from now.
Platt stressed the importance of using the right tools today to prepare for tomorrow. “The future is here,” he emphasized. “Generative artificial intelligence, advanced data tools and visualization are game changers, and they’re here. You have to be able to use them.”
“The whole topic of generative AI is a proxy for having your data and technology in good order,” he continued. "If you're not organized, you can't use these new technologies safely. You've got an issue, and you're going to fall behind.”
Stafford built upon Platt’s ideas, adding that organizations need to have all their data in one place. “You can’t manage what you don’t measure,” he stated.
Brennan was optimistic about labor-saving tools coming down the pike, “so we don't have skilled workers doing pedestrian stuff and filling out forms. I think you'll see a platform emerge in the coming years that creates enormous value downstream for boards of directors and management teams,” he said. “And enormous value will accrue to the company that helps bring assessment tools together through this platform.”
For more tips on keeping the board and everyone in the risk management chain informed with the right data, download our checklist for effective ERM reporting.